Exploitation of Rowhammer attack just got easier.
Dubbed ‘Throwhammer,’ the newly discovered technique could allow attackers to launch Rowhammer attack on the targeted systems just by sending specially crafted packets to the vulnerable network cards over the local area network.
Known since 2012, Rowhammer is a severe issue with recent generation dynamic random access memory (DRAM) chips in which repeatedly accessing a row of memory can cause “bit flipping” in an adjacent row, allowing anyone to change the contents of computer memory.
The issue has since been exploited in a number of ways to achieve remote code execution on the vulnerable computers and servers.
Just last week, security researchers detailed a proof-of-concept Rowhammer attack technique, dubbed GLitch, that leverages embedded graphics processing units (GPUs) to carry out Rowhammer attacks against Android devices.
However, all previously known Rowhammer attack techniques required privilege escalation on a target device, meaning attackers had to execute code on targeted machines either by luring victims to a malicious website or by tricking them into installing a malicious app.
Unfortunately, this limitation has now been eliminated, at least for some devices.
Researchers at the Vrije Universiteit Amsterdam and the University of Cyprus have now found that sending malicious packets over LAN can trigger the Rowhammer attack on systems running Ethernet network cards equipped with Remote Direct Memory Access (RDMA), which is commonly used in clouds and data centers.
Since RDMA-enabled network cards allow computers in a network to exchange data (with read and write privileges) in the main memory, abusing it to access host’s memory in rapid succession can trigger bit flips on DRAM.
“We rely on the commonly-deployed RDMA technology in clouds and data centers for reading from remote DMA buffers quickly to cause Rowhammer corruptions outside these untrusted buffers,” researchers said in a paper [PDF] published Thursday.
“These corruptions allow us to compromise a remote Memcached server without relying on any software bug.”
Since triggering a bit flip requires hundreds of thousands of memory accesses to specific DRAM locations within tens of milliseconds, a successful Throwhammer attack would require a very high-speed network of at least 10Gbps.
In their experimental setup, researchers achieved bit flips on a targeted server after accessing its memory 560,000 times in 64 milliseconds by sending packets over LAN to its RDMA-enabled network card.
Since Rowhammer exploits a computer hardware weakness, no software patch can completely fix the issue. Researchers believe the Rowhammer threat is not only real but also has potential to cause real, severe damage.
For more in-depth details on the new attack technique, you can head on to this paper [PDF], titled “Throwhammer: Rowhammer Attacks over the Network and Defenses,” published by the researchers on Thursday.
- Nethammer—Exploiting DRAM Rowhammer Bug Through Network Requests
- GLitch: New ‘Rowhammer’ Attack Can Remotely Hijack Android Phones
- RAMpage Attack Explained—Exploiting RowHammer On Android Again!
- NetSpectre — New Remote Spectre Attack Steals Data Over the Network
- Chinese Hackers Carried Out Country-Level Watering Hole Attack